On 7/8/20 2:31 PM, Topi Miettinen wrote:
On 8.7.2020 17.47, Chris PeBenito wrote:
I would like to implement a unit option that would make the seccomp action
SCMP_ACT_LOG so that I can test SystemCallFilter settings without killing the
services, like SELinux permissive mode.
I was reading this github issue about seccomp actions from last year:
https://github.com/systemd/systemd/issues/11967
While it mentioned other actions, it was mainly about changing the kill action
to kill the process rather than just the offending thread. There wasn't a
solid conclusion about how allow/log actions would work in terms of unit
options. I figure one option is adding a new option like
SystemCallFillterAllow=bool that would conflict with SystemCallFilterErrno. If
true it would set SCMP_ACT_LOG for the action. Having a setting for
SCMP_ACT_ALLOW seems redundant since it's equivalent to commenting out the
SystemCallFilter option since there's no logging.
I think it would be more flexible to extend the error code return per system
call, like
SystemCallFilter=gettimeofday:LOG
Yes, that provides much more granularity but is it necessary to support that
level of granularity in systemd? Fine-grained system call logging is available
in the audit subsystem and is much more flexible.
For global error action, I'd propose SystemCallErrorNumber= to be superseded by
more generic
SystemCallErrorAction= KILL | LOG | errno code
--
Chris PeBenito
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
